News & Insights  |  Newsletters

Consumer Watchdog’s “Do Not Track” Petition – A Harbinger of the FCC’s New Role as Internet Privacy Cop?

July 2015
Privacy In Focus

Last month the public interest advocacy group Consumer Watchdog submitted a Petition for Rulemaking to the Federal Communications Commission (FCC or the Commission) asking the agency to initiate a proceeding that would require “edge providers,” such as Google and Netflix, to honor “Do Not Track” requests from consumers.The Petition marks the first in what will likely be a series of similar requests to be filed with the Commission asking the agency to broadly assert its authorities to become the privacy regulator for the entire broadband ecosystem. Whether the current FCC leadership will heed the call for such an expansive assertion of the Commission’s jurisdiction and how the courts will assess such a view of FCC authority remain unclear. What is clear is that, thanks to the FCC’s decade-long effort to adopt network neutrality regulation for broadband providers, privacy advocates now believe they have found a new venue in which to challenge the privacy and information security practices of not only broadband Internet access providers, but all companies that utilize the Internet as part of their business models.

FCC’s Open Internet Proceeding and Impact on Privacy Regulation

The FCC’s decade-long effort to adopt open Internet rules for broadband Internet access service providers began with its assertion of Title I “ancillary jurisdiction” under the Communications Act (the Act) over providers of “information services” (as broadband was then classified), and was followed by its efforts earlier this year to reclassify broadband as a “telecommunications service” subject to nondiscrimination provisions of Title II of the Act. This effort has greatly blurred the FCC’s regulatory distinctions and its ensuing consumer protection obligations between not only broadband service providers and providers of plain old telephone service (POTS), but also providers of broadband infrastructure and the providers of content, applications, services, or devices—known as edge providers—that use such infrastructure.

In the privacy context, two major decisions on net neutrality over the past two years could have profound consequences for the Commission’s assertion of jurisdiction—over not only broadband providers, but also edge providers—regarding customer privacy, information and data security, and data breach notification requirements.

First, in the 2014 Verizon v. FCC decision, the D.C. Circuit suggested that the Commission could reasonably interpret Section 706 of the 1996 Telecommunications Act as an independent grant of authority to the agency to assert regulatory power over providers of information service, which then included broadband service. The court based its decision on Section 706’s statutory language directing the FCC to “encourage the deployment on a reasonable and timely basis of advanced telecommunications capability to all Americans” by utilizing measures that “promote competition…or other regulating methods that remove barriers to infrastructure investment,” as well as to “take immediate action to accelerate deployment of such capability by removing barriers to infrastructure investment and by promoting competition.” The court then indicated its agreement with the FCC that regulations, such as the open Internet rules, could enable a “virtuous cycle” of innovation and investment, in which new products and services help drive end-user demand for broadband, which in turn drive network deployment and upgrade, which in turn lead to further innovative network uses.

It is important to note that in suggesting the Commission could reasonably construe Section 706 as a direct grant of authority from Congress, the D.C. Circuit identified two limiting principles to distinguish Section 706 from a broader general policy statement: (1) the Commission’s subject matter jurisdiction is limited to “all interstate and foreign communication by wire or radio;” and (2) the regulation must be designed to “encourage the deployment on a reasonable and timely basis of advanced telecommunications capability to all Americans.” Given that providers of online content, applications, and services have long been treated as providers of “information services” subject to the FCC’s Title I authority, advocates of expanded regulations will almost certainly contend that any regulatory power provided by Section 706 can be extended to cover edge providers if the FCC can show that such regulations are designed to encourage the timely deployment of broadband infrastructure.

Second, when the FCC reclassified broadband service from an information service to a telecommunications service subject to the Act’s Title II common carriage requirements, it chose not to forbear from applying Section 222 of the Act to broadband providers. Section 222 is the core privacy provision that has traditionally protected a telephone customer’s proprietary call-related information from disclosure or use by carriers under certain circumstances. That call-related information is defined as “customer proprietary network information,” or CPNI, by the Act. However, the FCC asserted in the 2015 Open Internet Order and a subsequent Section 222 Enforcement Advisory that Section 222, combined with Section 201(b) of the Act, requires a broadband provider to take reasonable measures to protect a customer’s sensitive personally identifiable information, beyond just CPNI. The FCC is only beginning to delineate through recent enforcement actions the scope of what constitutes “personal information” that would be protected by Section 222.

In arguing for the application of Section 222’s statutory language to broadband providers, the Commission found that “if consumers have concerns about the privacy of their personal information, such concerns may restrain them from making full use of broadband Internet access services and the Internet, thereby lowering the likelihood of broadband adoption and decreasing consumer demand.” Therefore, in finding that the protection of customers’ personal information may contribute to the “virtuous cycle” of innovation and investment, the Commission made no distinction about whether a consumer’s privacy concerns stemmed from the practices of broadband providers or edge providers. Given that the Commission has consistently asserted jurisdiction over edge providers as providers of “information services” and that it views itself as having the authority under Section 706 to adopt Internet privacy regulations, it is not difficult to foresee the FCC extending any of its Section 222 rules for broadband providers to reach edge companies.

Consumer Watchdog’s “Do Not Track” Petition and the FCC’s Future Role

Perceiving a new-found potential for the Commission to vastly expand its privacy authority following last year’s Verizon decision and this year’s Open Internet Order, Consumer Watchdog filed a petition (the Petition) with the Commission on June 15th requesting the Commission to initiate a rulemaking proceeding to require edge providers to honor users’ “Do Not Track” requests. The Petition cites the Commission’s own arguments for applying Section 222’s privacy protections to broadband providers as the basis for applying “Do Not Track” regulation to edge providers under Section 706. It argues that consumers are concerned about the privacy of their personal information online and that online tracking and data collection practices of edge providers pose the same threat to widespread broadband adoption as any privacy practice of broadband providers. In addition, since edge providers collect the same sensitive personal information as broadband providers, the Petition argues that the Commission must maintain regulatory parity between the edge providers and broadband providers. Consumer Watchdog contends that a failure to do so would in effect grant a regulatory advantage to the edge providers and implicate concerns of market distortions. Finally, the Petition argues that existing remedies under the Federal Trade Commission’s (FTC) enforcement authority are insufficient to protect users from online tracking of personal information and that, accordingly, it is necessary for the FCC to adopt enforceable rules with meaningful remedies and penalties. This effort suggests that, for many privacy advocates long frustrated by the FTC’s lack of general rulemaking authority, the FCC could become the fertile new ground for advocating in favor of new privacy rules for the Internet.

Whether it’s the offering of broadband Internet access service by traditional edge providers such as Google through Google Fiber, or broadband carriers becoming producers of online content and services, such as Verizon’s acquisition of AOL, the distinction between broadband providers and edge providers has and will become increasingly blurred. Thanks to the FCC’s recent assertion of authority to adopt open Internet rules, the traditional regulatory framework governing the practices of broadband and edge providers also is breaking down. FCC Chairman Tom Wheeler recently stated that the Commission will initiate a proceeding this Fall to promulgate Section 222 rules in the broadband context. Providers of online content, applications, and services should follow the development of that proceeding—along with the disposition of Consumer Watchdog’s “Do Not Track” Petition—very closely, as the privacy rules governing the practice of broadband providers may become the baseline rules governing the entire broadband ecosystem.